* Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd . - Add nagios_read_lib() interface. - Additional fix for mongod_unit_file_t in mongodb.te. - Fix decl of mongod_unit_file to mongod_unit_file_t. - Fix mongodb unit file declaration. - Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type. - Fix labeling for /usr/libexec/mysqld_safe-scl-helper. - Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons. - Allow sys_ptrace cap for sblim-gatherd caused by ps. - Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script. - Add support for mongod/mongos systemd unit files. - Allow dnssec-trigger to send sigchld to networkmanager - add interface networkmanager_sigchld - Add dnssec-trigger unit file Label dnssec-trigger script in libexec - Remove duplicate specification for /etc/localtime. - Add default labeling for /etc/localtime symlink.
This commit is contained in:
parent
c4df3c09b1
commit
229bf3d017
@ -17591,7 +17591,7 @@ index e100d88..991e1a5 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||
index 8dbab4c..15c063c 100644
|
||||
index 8dbab4c..46d7f18 100644
|
||||
--- a/policy/modules/kernel/kernel.te
|
||||
+++ b/policy/modules/kernel/kernel.te
|
||||
@@ -25,6 +25,9 @@ attribute kern_unconfined;
|
||||
@ -17612,15 +17612,16 @@ index 8dbab4c..15c063c 100644
|
||||
role system_r types kernel_t;
|
||||
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
|
||||
|
||||
@@ -58,6 +62,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
|
||||
@@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
|
||||
type debugfs_t;
|
||||
files_mountpoint(debugfs_t)
|
||||
fs_type(debugfs_t)
|
||||
+dev_associate_sysfs(debugfs_t)
|
||||
+
|
||||
allow debugfs_t self:filesystem associate;
|
||||
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
|
||||
|
||||
@@ -95,9 +100,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
|
||||
@@ -95,9 +101,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
|
||||
type proc_mdstat_t, proc_type;
|
||||
genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
|
||||
|
||||
@ -17653,7 +17654,7 @@ index 8dbab4c..15c063c 100644
|
||||
type proc_xen_t, proc_type;
|
||||
files_mountpoint(proc_xen_t)
|
||||
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
|
||||
@@ -133,14 +161,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
|
||||
@@ -133,14 +162,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
|
||||
type sysctl_kernel_t, sysctl_type;
|
||||
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
|
||||
|
||||
@ -17668,7 +17669,7 @@ index 8dbab4c..15c063c 100644
|
||||
# /proc/sys/net directory and files
|
||||
type sysctl_net_t, sysctl_type;
|
||||
genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
|
||||
@@ -153,6 +173,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
|
||||
@@ -153,6 +174,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
|
||||
type sysctl_vm_t, sysctl_type;
|
||||
genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
|
||||
|
||||
@ -17679,7 +17680,7 @@ index 8dbab4c..15c063c 100644
|
||||
# /proc/sys/dev directory and files
|
||||
type sysctl_dev_t, sysctl_type;
|
||||
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
|
||||
@@ -165,6 +189,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
|
||||
@@ -165,6 +190,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
|
||||
type unlabeled_t;
|
||||
fs_associate(unlabeled_t)
|
||||
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
@ -17694,7 +17695,7 @@ index 8dbab4c..15c063c 100644
|
||||
|
||||
# These initial sids are no longer used, and can be removed:
|
||||
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
@@ -189,6 +221,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
@@ -189,6 +222,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
# kernel local policy
|
||||
#
|
||||
|
||||
@ -17702,7 +17703,7 @@ index 8dbab4c..15c063c 100644
|
||||
allow kernel_t self:capability ~sys_module;
|
||||
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow kernel_t self:shm create_shm_perms;
|
||||
@@ -233,7 +266,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
|
||||
@@ -233,7 +267,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
|
||||
corenet_in_generic_if(unlabeled_t)
|
||||
corenet_in_generic_node(unlabeled_t)
|
||||
|
||||
@ -17710,7 +17711,7 @@ index 8dbab4c..15c063c 100644
|
||||
corenet_all_recvfrom_netlabel(kernel_t)
|
||||
# Kernel-generated traffic e.g., ICMP replies:
|
||||
corenet_raw_sendrecv_all_if(kernel_t)
|
||||
@@ -244,17 +276,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
|
||||
@@ -244,17 +277,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
|
||||
corenet_tcp_sendrecv_all_nodes(kernel_t)
|
||||
corenet_raw_send_generic_node(kernel_t)
|
||||
corenet_send_all_packets(kernel_t)
|
||||
@ -17736,7 +17737,7 @@ index 8dbab4c..15c063c 100644
|
||||
|
||||
# Mount root file system. Used when loading a policy
|
||||
# from initrd, then mounting the root filesystem
|
||||
@@ -263,7 +299,8 @@ fs_unmount_all_fs(kernel_t)
|
||||
@@ -263,7 +300,8 @@ fs_unmount_all_fs(kernel_t)
|
||||
|
||||
selinux_load_policy(kernel_t)
|
||||
|
||||
@ -17746,7 +17747,7 @@ index 8dbab4c..15c063c 100644
|
||||
|
||||
corecmd_exec_shell(kernel_t)
|
||||
corecmd_list_bin(kernel_t)
|
||||
@@ -277,25 +314,53 @@ files_list_root(kernel_t)
|
||||
@@ -277,25 +315,53 @@ files_list_root(kernel_t)
|
||||
files_list_etc(kernel_t)
|
||||
files_list_home(kernel_t)
|
||||
files_read_usr_files(kernel_t)
|
||||
@ -17800,7 +17801,7 @@ index 8dbab4c..15c063c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -305,6 +370,19 @@ optional_policy(`
|
||||
@@ -305,6 +371,19 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(kernel_t)
|
||||
@ -17820,7 +17821,7 @@ index 8dbab4c..15c063c 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -312,6 +390,11 @@ optional_policy(`
|
||||
@@ -312,6 +391,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -17832,7 +17833,7 @@ index 8dbab4c..15c063c 100644
|
||||
# nfs kernel server needs kernel UDP access. It is less risky and painful
|
||||
# to just give it everything.
|
||||
allow kernel_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -332,9 +415,6 @@ optional_policy(`
|
||||
@@ -332,9 +416,6 @@ optional_policy(`
|
||||
|
||||
sysnet_read_config(kernel_t)
|
||||
|
||||
@ -17842,7 +17843,7 @@ index 8dbab4c..15c063c 100644
|
||||
rpc_udp_rw_nfs_sockets(kernel_t)
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -343,9 +423,7 @@ optional_policy(`
|
||||
@@ -343,9 +424,7 @@ optional_policy(`
|
||||
fs_read_noxattr_fs_files(kernel_t)
|
||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||
|
||||
@ -17853,7 +17854,7 @@ index 8dbab4c..15c063c 100644
|
||||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_rw',`
|
||||
@@ -354,7 +432,7 @@ optional_policy(`
|
||||
@@ -354,7 +433,7 @@ optional_policy(`
|
||||
fs_read_noxattr_fs_files(kernel_t)
|
||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||
|
||||
@ -17862,7 +17863,7 @@ index 8dbab4c..15c063c 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -367,6 +445,15 @@ optional_policy(`
|
||||
@@ -367,6 +446,15 @@ optional_policy(`
|
||||
unconfined_domain_noaudit(kernel_t)
|
||||
')
|
||||
|
||||
@ -17878,7 +17879,7 @@ index 8dbab4c..15c063c 100644
|
||||
########################################
|
||||
#
|
||||
# Unlabeled process local policy
|
||||
@@ -399,14 +486,39 @@ if( ! secure_mode_insmod ) {
|
||||
@@ -399,14 +487,39 @@ if( ! secure_mode_insmod ) {
|
||||
# Rules for unconfined acccess to this module
|
||||
#
|
||||
|
||||
@ -36486,7 +36487,7 @@ index 79048c4..c3a255a 100644
|
||||
udev_read_pid_files(lvm_t)
|
||||
')
|
||||
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
|
||||
index 9fe8e01..3d71062 100644
|
||||
index 9fe8e01..ce00ccb 100644
|
||||
--- a/policy/modules/system/miscfiles.fc
|
||||
+++ b/policy/modules/system/miscfiles.fc
|
||||
@@ -9,11 +9,14 @@ ifdef(`distro_gentoo',`
|
||||
@ -36497,7 +36498,7 @@ index 9fe8e01..3d71062 100644
|
||||
-/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||
+/etc/docker/certs\.d(/.*)? gen_context(system_u:object_r:cert_t,s0)
|
||||
+/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
|
||||
+/etc/localtime gen_context(system_u:object_r:locale_t,s0)
|
||||
+/etc/localtime -l gen_context(system_u:object_r:locale_t,s0)
|
||||
+/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
|
||||
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
|
||||
/etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0)
|
||||
@ -42364,10 +42365,10 @@ index 0000000..d2a8fc7
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..f3a8fe7
|
||||
index 0000000..c19260b
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,713 @@
|
||||
@@ -0,0 +1,714 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -42626,6 +42627,7 @@ index 0000000..f3a8fe7
|
||||
+
|
||||
+kernel_dgram_send(systemd_networkd_t)
|
||||
+kernel_request_load_module(systemd_networkd_t)
|
||||
+kernel_rw_net_sysctls(systemd_networkd_t)
|
||||
+
|
||||
+dev_read_sysfs(systemd_networkd_t)
|
||||
+
|
||||
|
@ -5157,7 +5157,7 @@ index f6eb485..164501c 100644
|
||||
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
|
||||
')
|
||||
diff --git a/apache.te b/apache.te
|
||||
index 6649962..9c06038 100644
|
||||
index 6649962..d671bf8 100644
|
||||
--- a/apache.te
|
||||
+++ b/apache.te
|
||||
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
|
||||
@ -6477,15 +6477,16 @@ index 6649962..9c06038 100644
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
mysql_tcp_connect(httpd_t)
|
||||
@@ -832,6 +1029,7 @@ optional_policy(`
|
||||
@@ -832,6 +1029,8 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
nagios_read_config(httpd_t)
|
||||
+ nagios_read_lib(httpd_t)
|
||||
+ nagios_read_log(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -842,20 +1040,40 @@ optional_policy(`
|
||||
@@ -842,20 +1041,40 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -6532,7 +6533,7 @@ index 6649962..9c06038 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -863,19 +1081,35 @@ optional_policy(`
|
||||
@@ -863,19 +1082,35 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -6568,7 +6569,7 @@ index 6649962..9c06038 100644
|
||||
udev_read_db(httpd_t)
|
||||
')
|
||||
|
||||
@@ -883,65 +1117,189 @@ optional_policy(`
|
||||
@@ -883,65 +1118,189 @@ optional_policy(`
|
||||
yam_read_content(httpd_t)
|
||||
')
|
||||
|
||||
@ -6780,7 +6781,7 @@ index 6649962..9c06038 100644
|
||||
files_dontaudit_search_pids(httpd_suexec_t)
|
||||
files_search_home(httpd_suexec_t)
|
||||
|
||||
@@ -950,123 +1308,74 @@ auth_use_nsswitch(httpd_suexec_t)
|
||||
@@ -950,123 +1309,74 @@ auth_use_nsswitch(httpd_suexec_t)
|
||||
logging_search_logs(httpd_suexec_t)
|
||||
logging_send_syslog_msg(httpd_suexec_t)
|
||||
|
||||
@ -6935,7 +6936,7 @@ index 6649962..9c06038 100644
|
||||
mysql_read_config(httpd_suexec_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
@@ -1083,172 +1392,107 @@ optional_policy(`
|
||||
@@ -1083,172 +1393,107 @@ optional_policy(`
|
||||
')
|
||||
')
|
||||
|
||||
@ -7173,7 +7174,7 @@ index 6649962..9c06038 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_read_user_content',`
|
||||
@@ -1256,64 +1500,74 @@ tunable_policy(`httpd_read_user_content',`
|
||||
@@ -1256,64 +1501,74 @@ tunable_policy(`httpd_read_user_content',`
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_use_cifs',`
|
||||
@ -7270,7 +7271,7 @@ index 6649962..9c06038 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -1321,8 +1575,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
@@ -1321,8 +1576,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
@ -7287,7 +7288,7 @@ index 6649962..9c06038 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1330,49 +1591,38 @@ optional_policy(`
|
||||
@@ -1330,49 +1592,38 @@ optional_policy(`
|
||||
# User content local policy
|
||||
#
|
||||
|
||||
@ -7352,7 +7353,7 @@ index 6649962..9c06038 100644
|
||||
kernel_read_system_state(httpd_passwd_t)
|
||||
|
||||
corecmd_exec_bin(httpd_passwd_t)
|
||||
@@ -1382,38 +1632,101 @@ dev_read_urand(httpd_passwd_t)
|
||||
@@ -1382,38 +1633,101 @@ dev_read_urand(httpd_passwd_t)
|
||||
|
||||
domain_use_interactive_fds(httpd_passwd_t)
|
||||
|
||||
@ -24751,11 +24752,14 @@ index 37a3b7b..921056a 100644
|
||||
+')
|
||||
diff --git a/dnssec.fc b/dnssec.fc
|
||||
new file mode 100644
|
||||
index 0000000..9e231a8
|
||||
index 0000000..1714fa6
|
||||
--- /dev/null
|
||||
+++ b/dnssec.fc
|
||||
@@ -0,0 +1,3 @@
|
||||
@@ -0,0 +1,6 @@
|
||||
+/usr/lib/systemd/system/dnssec-triggerd.* -- gen_context(system_u:object_r:dnssec_trigger_unit_file_t,s0)
|
||||
+
|
||||
+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
|
||||
+/usr/libexec/dnssec-trigger-script -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
|
||||
+
|
||||
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
|
||||
diff --git a/dnssec.if b/dnssec.if
|
||||
@ -24851,10 +24855,10 @@ index 0000000..457d4dd
|
||||
+')
|
||||
diff --git a/dnssec.te b/dnssec.te
|
||||
new file mode 100644
|
||||
index 0000000..46f4d2c
|
||||
index 0000000..64f1a64
|
||||
--- /dev/null
|
||||
+++ b/dnssec.te
|
||||
@@ -0,0 +1,63 @@
|
||||
@@ -0,0 +1,68 @@
|
||||
+policy_module(dnssec, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -24866,6 +24870,9 @@ index 0000000..46f4d2c
|
||||
+type dnssec_trigger_exec_t;
|
||||
+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
|
||||
+
|
||||
+type dnssec_trigger_unit_file_t;
|
||||
+systemd_unit_file(dnssec_trigger_unit_file_t)
|
||||
+
|
||||
+type dnssec_trigger_var_run_t;
|
||||
+files_pid_file(dnssec_trigger_var_run_t)
|
||||
+
|
||||
@ -24917,6 +24924,8 @@ index 0000000..46f4d2c
|
||||
+
|
||||
+optional_policy(`
|
||||
+ networkmanager_stream_connect(dnssec_trigger_t)
|
||||
+ networkmanager_sigchld(dnssec_trigger_t)
|
||||
+
|
||||
+')
|
||||
diff --git a/dnssectrigger.te b/dnssectrigger.te
|
||||
index c7bb4e7..e6fe2f40 100644
|
||||
@ -46851,16 +46860,22 @@ index 0000000..e7220a5
|
||||
+logging_send_syslog_msg(mon_procd_t)
|
||||
+
|
||||
diff --git a/mongodb.fc b/mongodb.fc
|
||||
index 6fcfc31..91adcaf 100644
|
||||
index 6fcfc31..e9e6bc5 100644
|
||||
--- a/mongodb.fc
|
||||
+++ b/mongodb.fc
|
||||
@@ -1,9 +1,13 @@
|
||||
@@ -1,9 +1,19 @@
|
||||
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/mongos -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
|
||||
|
||||
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||
+/usr/lib/systemd/system/mongod.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
|
||||
+/usr/lib/systemd/system/mongos.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
|
||||
+
|
||||
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||
+
|
||||
+/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||
|
||||
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
|
||||
|
||||
@ -46872,10 +46887,20 @@ index 6fcfc31..91adcaf 100644
|
||||
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
|
||||
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
|
||||
diff --git a/mongodb.te b/mongodb.te
|
||||
index 169f236..571da1a 100644
|
||||
index 169f236..608c584 100644
|
||||
--- a/mongodb.te
|
||||
+++ b/mongodb.te
|
||||
@@ -21,19 +21,25 @@ files_type(mongod_var_lib_t)
|
||||
@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)
|
||||
type mongod_initrc_exec_t;
|
||||
init_script_file(mongod_initrc_exec_t)
|
||||
|
||||
+type mongod_unit_file_t;
|
||||
+systemd_unit_file(mongod_unit_file_t)
|
||||
+
|
||||
type mongod_log_t;
|
||||
logging_log_file(mongod_log_t)
|
||||
|
||||
@@ -21,19 +24,25 @@ files_type(mongod_var_lib_t)
|
||||
type mongod_var_run_t;
|
||||
files_pid_file(mongod_var_run_t)
|
||||
|
||||
@ -46907,7 +46932,7 @@ index 169f236..571da1a 100644
|
||||
|
||||
manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
|
||||
manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
|
||||
@@ -41,21 +47,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
|
||||
@@ -41,21 +50,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
|
||||
|
||||
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
|
||||
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
|
||||
@ -51970,10 +51995,10 @@ index b708708..dd6e04b 100644
|
||||
+ apache_search_sys_content(munin_t)
|
||||
+')
|
||||
diff --git a/mysql.fc b/mysql.fc
|
||||
index 06f8666..d813d8a 100644
|
||||
index 06f8666..c2c13aa 100644
|
||||
--- a/mysql.fc
|
||||
+++ b/mysql.fc
|
||||
@@ -1,12 +1,26 @@
|
||||
@@ -1,27 +1,46 @@
|
||||
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
|
||||
-
|
||||
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
|
||||
@ -52009,7 +52034,9 @@ index 06f8666..d813d8a 100644
|
||||
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
|
||||
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
||||
|
||||
@@ -14,14 +28,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
|
||||
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
||||
+/usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
|
||||
+
|
||||
|
||||
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
||||
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
|
||||
@ -53678,7 +53705,7 @@ index d78dfc3..40e1c77 100644
|
||||
|
||||
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
||||
diff --git a/nagios.if b/nagios.if
|
||||
index 0641e97..cad402c 100644
|
||||
index 0641e97..ed3394e 100644
|
||||
--- a/nagios.if
|
||||
+++ b/nagios.if
|
||||
@@ -1,12 +1,13 @@
|
||||
@ -53755,7 +53782,7 @@ index 0641e97..cad402c 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -73,15 +68,14 @@ interface(`nagios_read_config',`
|
||||
@@ -73,15 +68,33 @@ interface(`nagios_read_config',`
|
||||
type nagios_etc_t;
|
||||
')
|
||||
|
||||
@ -53764,6 +53791,25 @@ index 0641e97..cad402c 100644
|
||||
allow $1 nagios_etc_t:file read_file_perms;
|
||||
- allow $1 nagios_etc_t:lnk_file read_lnk_file_perms;
|
||||
+ files_search_etc($1)
|
||||
+')
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Read nagios lib files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`nagios_read_lib',`
|
||||
+ gen_require(`
|
||||
+ type nagios_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var($1)
|
||||
+ list_dirs_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
|
||||
+ read_files_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
@ -53773,7 +53819,7 @@ index 0641e97..cad402c 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -100,8 +94,7 @@ interface(`nagios_read_log',`
|
||||
@@ -100,8 +113,7 @@ interface(`nagios_read_log',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -53783,17 +53829,18 @@ index 0641e97..cad402c 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -132,13 +125,33 @@ interface(`nagios_search_spool',`
|
||||
@@ -132,13 +144,33 @@ interface(`nagios_search_spool',`
|
||||
type nagios_spool_t;
|
||||
')
|
||||
|
||||
- files_search_spool($1)
|
||||
allow $1 nagios_spool_t:dir search_dir_perms;
|
||||
+ files_search_spool($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read nagios temporary files.
|
||||
+## Append nagios spool files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -53809,17 +53856,16 @@ index 0641e97..cad402c 100644
|
||||
+
|
||||
+ allow $1 nagios_spool_t:file append_file_perms;
|
||||
+ files_search_spool($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read nagios temporary files.
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to read
|
||||
+## nagios temporary files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -151,13 +164,34 @@ interface(`nagios_read_tmp_files',`
|
||||
@@ -151,13 +183,34 @@ interface(`nagios_read_tmp_files',`
|
||||
type nagios_tmp_t;
|
||||
')
|
||||
|
||||
@ -53856,7 +53902,7 @@ index 0641e97..cad402c 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -170,14 +204,13 @@ interface(`nagios_domtrans_nrpe',`
|
||||
@@ -170,14 +223,13 @@ interface(`nagios_domtrans_nrpe',`
|
||||
type nrpe_t, nrpe_exec_t;
|
||||
')
|
||||
|
||||
@ -53873,7 +53919,7 @@ index 0641e97..cad402c 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -186,44 +219,43 @@ interface(`nagios_domtrans_nrpe',`
|
||||
@@ -186,44 +238,43 @@ interface(`nagios_domtrans_nrpe',`
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
@ -54558,7 +54604,7 @@ index 94b9734..448a7e8 100644
|
||||
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
diff --git a/networkmanager.if b/networkmanager.if
|
||||
index 86dc29d..219892b 100644
|
||||
index 86dc29d..0c72c4d 100644
|
||||
--- a/networkmanager.if
|
||||
+++ b/networkmanager.if
|
||||
@@ -2,7 +2,7 @@
|
||||
@ -54789,12 +54835,11 @@ index 86dc29d..219892b 100644
|
||||
#
|
||||
-interface(`networkmanager_read_pid_files',`
|
||||
+interface(`networkmanager_manage_pid_files',`
|
||||
gen_require(`
|
||||
type NetworkManager_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
- allow $1 NetworkManager_var_run_t:file read_file_perms;
|
||||
+ gen_require(`
|
||||
+ type NetworkManager_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
+')
|
||||
+
|
||||
@ -54809,11 +54854,12 @@ index 86dc29d..219892b 100644
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`networkmanager_manage_pid_sock_files',`
|
||||
+ gen_require(`
|
||||
+ type NetworkManager_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
gen_require(`
|
||||
type NetworkManager_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
- allow $1 NetworkManager_var_run_t:file read_file_perms;
|
||||
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
+')
|
||||
+
|
||||
@ -54888,7 +54934,7 @@ index 86dc29d..219892b 100644
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
@@ -287,33 +425,132 @@ interface(`networkmanager_stream_connect',`
|
||||
@@ -287,33 +425,150 @@ interface(`networkmanager_stream_connect',`
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
@ -54999,6 +55045,24 @@ index 86dc29d..219892b 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send sigchld to networkmanager.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+#
|
||||
+interface(`networkmanager_sigchld',`
|
||||
+ gen_require(`
|
||||
+ type networkmanager_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 networkmanager_t:process sigchld;
|
||||
+')
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Transition to networkmanager named content
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -91721,7 +91785,7 @@ index 98c9e0a..562666e 100644
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, sblim_var_run_t)
|
||||
diff --git a/sblim.te b/sblim.te
|
||||
index 299756b..8ce51cb 100644
|
||||
index 299756b..7d15afd 100644
|
||||
--- a/sblim.te
|
||||
+++ b/sblim.te
|
||||
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
|
||||
@ -91803,7 +91867,7 @@ index 299756b..8ce51cb 100644
|
||||
|
||||
-allow sblim_gatherd_t self:capability dac_override;
|
||||
-allow sblim_gatherd_t self:process signal;
|
||||
+allow sblim_gatherd_t self:capability { dac_override sys_nice };
|
||||
+allow sblim_gatherd_t self:capability { dac_override sys_nice sys_ptrace };
|
||||
+allow sblim_gatherd_t self:process { setsched signal };
|
||||
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
|
||||
@ -104221,7 +104285,7 @@ index a4f20bc..b3bd64f 100644
|
||||
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
||||
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
||||
diff --git a/virt.if b/virt.if
|
||||
index facdee8..c930866 100644
|
||||
index facdee8..814626a 100644
|
||||
--- a/virt.if
|
||||
+++ b/virt.if
|
||||
@@ -1,318 +1,226 @@
|
||||
@ -104822,7 +104886,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -495,53 +398,37 @@ interface(`virt_manage_virt_content',`
|
||||
@@ -495,53 +398,38 @@ interface(`virt_manage_virt_content',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -104876,6 +104940,7 @@ index facdee8..c930866 100644
|
||||
- virt_home_filetrans($1, virt_content_t, $2, $3)
|
||||
+ files_search_pids($1)
|
||||
+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
|
||||
+ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -104886,7 +104951,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -549,34 +436,21 @@ interface(`virt_home_filetrans_virt_content',`
|
||||
@@ -549,34 +437,21 @@ interface(`virt_home_filetrans_virt_content',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -104929,7 +104994,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -584,32 +458,36 @@ interface(`virt_manage_svirt_home_content',`
|
||||
@@ -584,32 +459,36 @@ interface(`virt_manage_svirt_home_content',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -104978,7 +105043,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="name" optional="true">
|
||||
@@ -618,54 +496,36 @@ interface(`virt_relabel_svirt_home_content',`
|
||||
@@ -618,54 +497,36 @@ interface(`virt_relabel_svirt_home_content',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -105042,7 +105107,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -673,107 +533,136 @@ interface(`virt_home_filetrans',`
|
||||
@@ -673,107 +534,136 @@ interface(`virt_home_filetrans',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -105223,7 +105288,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -781,19 +670,18 @@ interface(`virt_home_filetrans_virt_home',`
|
||||
@@ -781,19 +671,18 @@ interface(`virt_home_filetrans_virt_home',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -105248,7 +105313,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -801,18 +689,36 @@ interface(`virt_read_pid_files',`
|
||||
@@ -801,18 +690,36 @@ interface(`virt_read_pid_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -105290,7 +105355,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -820,18 +726,17 @@ interface(`virt_manage_pid_files',`
|
||||
@@ -820,18 +727,17 @@ interface(`virt_manage_pid_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -105313,7 +105378,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -839,20 +744,18 @@ interface(`virt_search_lib',`
|
||||
@@ -839,20 +745,18 @@ interface(`virt_search_lib',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -105338,7 +105403,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -860,94 +763,267 @@ interface(`virt_read_lib_files',`
|
||||
@@ -860,94 +764,267 @@ interface(`virt_read_lib_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -105635,7 +105700,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -955,20 +1031,17 @@ interface(`virt_append_log',`
|
||||
@@ -955,20 +1032,17 @@ interface(`virt_append_log',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -105660,7 +105725,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -976,18 +1049,17 @@ interface(`virt_manage_log',`
|
||||
@@ -976,18 +1050,17 @@ interface(`virt_manage_log',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -105683,7 +105748,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -995,36 +1067,35 @@ interface(`virt_search_images',`
|
||||
@@ -995,36 +1068,35 @@ interface(`virt_search_images',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -105739,7 +105804,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1032,20 +1103,17 @@ interface(`virt_read_images',`
|
||||
@@ -1032,20 +1104,17 @@ interface(`virt_read_images',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -105764,7 +105829,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1053,15 +1121,57 @@ interface(`virt_rw_all_image_chr_files',`
|
||||
@@ -1053,15 +1122,57 @@ interface(`virt_rw_all_image_chr_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -105827,7 +105892,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1069,21 +1179,28 @@ interface(`virt_manage_svirt_cache',`
|
||||
@@ -1069,21 +1180,28 @@ interface(`virt_manage_svirt_cache',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -105864,7 +105929,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1091,36 +1208,188 @@ interface(`virt_manage_virt_cache',`
|
||||
@@ -1091,36 +1209,188 @@ interface(`virt_manage_virt_cache',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -106071,7 +106136,7 @@ index facdee8..c930866 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1136,50 +1405,53 @@ interface(`virt_manage_images',`
|
||||
@@ -1136,50 +1406,53 @@ interface(`virt_manage_images',`
|
||||
#
|
||||
interface(`virt_admin',`
|
||||
gen_require(`
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 125%{?dist}
|
||||
Release: 126%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -602,6 +602,24 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126
|
||||
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
|
||||
- Add nagios_read_lib() interface.
|
||||
- Additional fix for mongod_unit_file_t in mongodb.te.
|
||||
- Fix decl of mongod_unit_file to mongod_unit_file_t.
|
||||
- Fix mongodb unit file declaration.
|
||||
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
|
||||
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
|
||||
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
|
||||
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
|
||||
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
|
||||
- Add support for mongod/mongos systemd unit files.
|
||||
- Allow dnssec-trigger to send sigchld to networkmanager
|
||||
- add interface networkmanager_sigchld
|
||||
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
|
||||
- Remove duplicate specification for /etc/localtime.
|
||||
- Add default labeling for /etc/localtime symlink.
|
||||
|
||||
* Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125
|
||||
- Define ipa_var_run_t type
|
||||
- Allow certmonger to manage renewal.lock. BZ(1213256)
|
||||
|
Loading…
Reference in New Issue
Block a user